rpms/selinux-policy/F-9 policy-20071130.patch, 1.129, 1.130 selinux-policy.spec, 1.655, 1.656

Wed Apr 23 20:30:08 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4760

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Wed Apr 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-39
- Change etc files to config files to allow users to read them


policy-20071130.patch:

View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.129 -r 1.130 policy-20071130.patch
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.129
retrieving revision 1.130
diff -u -r1.129 -r1.130

--- policy-20071130.patch	22 Apr 2008 20:06:57 -0000	1.129
+++ policy-20071130.patch	23 Apr 2008 20:29:30 -0000	1.130
@@ -8,106 +8,6 @@
  - Label /proc/kallsyms with system_map_t.
  - 64-bit capabilities from Stephen Smalley.
  - Labeled networking peer object class updates.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
---- nsaserefpolicy/Makefile	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/Makefile	2008-04-21 11:02:47.842805000 -0400
-@@ -235,7 +235,7 @@
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
- 
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -309,20 +309,22 @@
- 
- # parse-rolemap modulename,outputfile
- define parse-rolemap
--	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
--		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+	echo "" >> $2
-+#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
- 
- # perrole-expansion modulename,outputfile
- define perrole-expansion
--	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
--	$(call parse-rolemap,$1,$2)
--	$(verbose) echo "')" >> $2
--
--	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
--	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
--	$(call parse-rolemap-compat,$1,$2)
--	$(verbose) echo "')" >> $2
-+	echo "No longer doing perrole-expansion"
-+#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+#	$(call parse-rolemap,$1,$2)
-+#	$(verbose) echo "')" >> $2
-+
-+#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+#	$(call parse-rolemap-compat,$1,$2)
-+#	$(verbose) echo "')" >> $2
- endef
- 
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -521,6 +523,10 @@
- 	@mkdir -p $(appdir)/users
- 	$(verbose) $(INSTALL) -m 644 $^ $@
- 
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+	@mkdir -p $(appdir)
-+	$(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- 	@mkdir -p $(appdir)
- 	$(verbose) $(INSTALL) -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
---- nsaserefpolicy/Rules.modular	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.modular	2008-04-21 11:02:47.848797000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- 	@echo "Compliling $(NAME) $(@F) module"
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
--	$(call perrole-expansion,$(basename $(@F)),$@.role)
--	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+#	$(call perrole-expansion,$(basename $(@F)),$@.role)
-+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
- 
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- 	$(verbose) $(genperm) $(avs) $(secclass) > $@
--	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
- 
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -147,7 +147,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- 	$(verbose) echo "" > $@
--	$(call parse-rolemap,base,$@)
-+#	$(call parse-rolemap,base,$@)
- 
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic	2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.monolithic	2008-04-21 11:02:47.854791000 -0400
-@@ -96,7 +96,7 @@
- #
- # Load the binary policy
- #
--reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
- 	@echo "Loading $(NAME) $(loadpath)"
- 	$(verbose) $(LOADPOLICY) -q $(loadpath)
- 	@touch $(tmpdir)/load
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context
 --- nsaserefpolicy/config/appconfig-mcs/failsafe_context	2007-10-12 08:56:09.000000000 -0400
 +++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context	2008-04-21 11:02:47.859787000 -0400
@@ -791,6 +691,62 @@
 +system_r:sshd_t		xguest_r:xguest_t
 +system_r:crond_t	xguest_r:xguest_crond_t
 +system_r:xdm_t		xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
+--- nsaserefpolicy/Makefile	2008-02-06 10:33:22.000000000 -0500
++++ serefpolicy-3.3.1/Makefile	2008-04-21 11:02:47.842805000 -0400
+@@ -235,7 +235,7 @@
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+ 
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -309,20 +309,22 @@
+ 
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++	echo "" >> $2
++#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+ 
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+-	$(call parse-rolemap,$1,$2)
+-	$(verbose) echo "')" >> $2
+-
+-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+-	$(call parse-rolemap-compat,$1,$2)
+-	$(verbose) echo "')" >> $2
++	echo "No longer doing perrole-expansion"
++#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++#	$(call parse-rolemap,$1,$2)
++#	$(verbose) echo "')" >> $2
++
++#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++#	$(call parse-rolemap-compat,$1,$2)
++#	$(verbose) echo "')" >> $2
+ endef
+ 
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -521,6 +523,10 @@
+ 	@mkdir -p $(appdir)/users
+ 	$(verbose) $(INSTALL) -m 644 $^ $@
+ 
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++	@mkdir -p $(appdir)
++	$(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ 	@mkdir -p $(appdir)
+ 	$(verbose) $(INSTALL) -m 644 $< $@
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
 --- nsaserefpolicy/man/man8/httpd_selinux.8	2008-02-18 14:30:19.000000000 -0500
 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8	2008-04-21 11:02:47.931714000 -0400
@@ -2577,6 +2533,109 @@
  	usermanage_domtrans_groupadd(rpm_script_t)
  	usermanage_domtrans_useradd(rpm_script_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if	2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if	2008-04-21 11:02:48.070575000 -0400
+@@ -55,7 +55,7 @@
+ 	#
+ 
+ 	# Use capabilities.
+-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 	allow $1_sudo_t self:process { setexec setrlimit };
+ 	allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ 	allow $1_sudo_t self:unix_dgram_socket sendto;
+ 	allow $1_sudo_t self:unix_stream_socket connectto;
+-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++	allow $1_sudo_t self:key manage_key_perms;
[...2041 lines suppressed...]
-@@ -4778,6 +5011,14 @@
+@@ -4778,6 +5017,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -33691,7 +33916,7 @@
  ')
  
  ########################################
-@@ -4839,6 +5080,26 @@
+@@ -4839,6 +5086,26 @@
  
  ########################################
  ## <summary>
@@ -33718,7 +33943,7 @@
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5120,25 @@
+@@ -4859,6 +5126,25 @@
  
  ########################################
  ## <summary>
@@ -33744,7 +33969,7 @@
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5159,26 @@
+@@ -4879,6 +5165,26 @@
  
  ########################################
  ## <summary>
@@ -33771,7 +33996,7 @@
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5415,7 @@
+@@ -5115,7 +5421,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -33780,7 +34005,7 @@
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5604,63 @@
+@@ -5304,6 +5610,63 @@
  
  ########################################
  ## <summary>
@@ -33844,7 +34069,7 @@
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,7 +5866,7 @@
+@@ -5509,7 +5872,7 @@
  
  ########################################
  ## <summary>
@@ -33853,7 +34078,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5517,18 +5874,17 @@
+@@ -5517,18 +5880,17 @@
  ##	</summary>
  ## </param>
  #
@@ -33876,7 +34101,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5536,17 +5892,17 @@
+@@ -5536,17 +5898,17 @@
  ##	</summary>
  ## </param>
  #
@@ -33898,7 +34123,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5554,12 +5910,49 @@
+@@ -5554,18 +5916,55 @@
  ##	</summary>
  ## </param>
  #
@@ -33910,11 +34135,13 @@
  	')
  
 -	read_files_pattern($1,userdomain,userdomain)
+-	kernel_search_proc($1)
 +	allow $1 user_ttynode:chr_file rw_term_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of all user domains.
 +##	Do not audit attempts to use unprivileged
 +##	user ttys.
 +## </summary>
@@ -33948,10 +34175,16 @@
 +	')
 +
 +	ps_process_pattern($1,userdomain)
- 	kernel_search_proc($1)
- ')
- 
-@@ -5674,6 +6067,42 @@
++	kernel_search_proc($1)
++')
++
++########################################
++## <summary>
++##	Get the attributes of all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5674,6 +6073,42 @@
  
  ########################################
  ## <summary>
@@ -33994,7 +34227,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6133,370 @@
+@@ -5704,3 +6139,370 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -35020,7 +35253,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-21 11:02:50.611505000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-23 10:09:03.411358000 -0400
 @@ -0,0 +1,174 @@
 +
 +policy_module(virt,1.0.0)
@@ -35058,7 +35291,7 @@
 +files_type(virt_var_lib_t)
 +
 +type virt_etc_t;
-+files_type(virt_etc_t)
++files_config_file(virt_etc_t)
 +
 +type virt_etc_rw_t;
 +files_type(virt_etc_rw_t)
@@ -35867,3 +36100,47 @@
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular	2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular	2008-04-21 11:02:47.848797000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ 	@echo "Compliling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+-	$(call perrole-expansion,$(basename $(@F)),$@.role)
+-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++#	$(call perrole-expansion,$(basename $(@F)),$@.role)
++	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+ 
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ 	$(verbose) $(genperm) $(avs) $(secclass) > $@
+-	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+ 
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ 	$(verbose) echo "" > $@
+-	$(call parse-rolemap,base,$@)
++#	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic	2007-11-20 06:55:20.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic	2008-04-21 11:02:47.854791000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ 	@echo "Loading $(NAME) $(loadpath)"
+ 	$(verbose) $(LOADPOLICY) -q $(loadpath)
+ 	@touch $(tmpdir)/load


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.655
retrieving revision 1.656
diff -u -r1.655 -r1.656
--- selinux-policy.spec	22 Apr 2008 19:16:28 -0000	1.655
+++ selinux-policy.spec	23 Apr 2008 20:29:30 -0000	1.656
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 38%{?dist}
+Release: 39%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,8 +385,8 @@
 %endif
 
 %changelog
-* Tue Apr 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-38
-- Bump for release
+* Wed Apr 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-39
+- Change etc files to config files to allow users to read them
 
 * Fri Apr 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-37
 - Lots of fixes for confined domains on NFS_t homedir


